amadey | 43979eec990561d1024709380f8d7b97f95156f672f2aa37ebc4806eccf62571

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flasher.exe
Size

1.9MB
MD5

7175d81d25f930437cbe872da4d6146e
SHA1

aff6402b462e139b998e4afc4cdef7cdb246f788
SHA256

9a3f94eb934151c3114d646d229289b5670a0f99f99393a6f2b692ec5cf9cab3
SHA512

3aa38a22511cc5d5717b2af284d9ba7b1f8228bd603930b9c4853c22f12b87c92c9b49e8b469f75c195b2b5a3f74bb5ca92f0890666bf659d6fef6c3c0f67082
SSDEEP

24576:1dTwms7tp9VZ5Mo2QhG3aMUFgElJkWQezUmops7mwfMZhrS2N6zKnBDGxk8uE+cG:/1et19y+lMLOz49Gxk8Z+cq

Score

10^/10

amadey svcstealer discovery downloader persistence stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects SvcStealer Payload 35 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral3/files/0x000a00000001da09-103.dat	family_svcstealer
behavioral3/memory/224-106-0x00007FF636B90000-0x00007FF636C95000-memory.dmp	family_svcstealer
behavioral3/memory/224-104-0x00007FF636B90000-0x00007FF636C95000-memory.dmp	family_svcstealer
behavioral3/memory/1832-114-0x00007FF6C4EF0000-0x00007FF6C4FF5000-memory.dmp	family_svcstealer
behavioral3/memory/1832-115-0x00007FF6C4EF0000-0x00007FF6C4FF5000-memory.dmp	family_svcstealer
behavioral3/memory/2464-122-0x00007FF61D050000-0x00007FF61D155000-memory.dmp	family_svcstealer
behavioral3/memory/2464-123-0x00007FF61D050000-0x00007FF61D155000-memory.dmp	family_svcstealer
behavioral3/memory/4672-135-0x00007FF765520000-0x00007FF765625000-memory.dmp	family_svcstealer
behavioral3/memory/4672-134-0x00007FF765520000-0x00007FF765625000-memory.dmp	family_svcstealer
behavioral3/memory/2852-142-0x00007FF664510000-0x00007FF664615000-memory.dmp	family_svcstealer
behavioral3/memory/2852-143-0x00007FF664510000-0x00007FF664615000-memory.dmp	family_svcstealer
behavioral3/memory/3832-155-0x00007FF784B50000-0x00007FF784C55000-memory.dmp	family_svcstealer
behavioral3/memory/3832-156-0x00007FF784B50000-0x00007FF784C55000-memory.dmp	family_svcstealer
behavioral3/memory/1900-180-0x00007FF7866C0000-0x00007FF7867C5000-memory.dmp	family_svcstealer
behavioral3/memory/1900-181-0x00007FF7866C0000-0x00007FF7867C5000-memory.dmp	family_svcstealer
behavioral3/memory/4556-188-0x00007FF699E80000-0x00007FF699F85000-memory.dmp	family_svcstealer
behavioral3/memory/4556-189-0x00007FF699E80000-0x00007FF699F85000-memory.dmp	family_svcstealer
behavioral3/memory/756-210-0x00007FF7876C0000-0x00007FF7877C5000-memory.dmp	family_svcstealer
behavioral3/memory/756-211-0x00007FF7876C0000-0x00007FF7877C5000-memory.dmp	family_svcstealer
behavioral3/memory/1504-218-0x00007FF6BA620000-0x00007FF6BA725000-memory.dmp	family_svcstealer
behavioral3/memory/4672-225-0x00007FF74FB70000-0x00007FF74FC75000-memory.dmp	family_svcstealer
behavioral3/memory/1604-232-0x00007FF641D90000-0x00007FF641E95000-memory.dmp	family_svcstealer
behavioral3/memory/1604-233-0x00007FF641D90000-0x00007FF641E95000-memory.dmp	family_svcstealer
behavioral3/memory/2896-240-0x00007FF655910000-0x00007FF655A15000-memory.dmp	family_svcstealer
behavioral3/memory/2896-241-0x00007FF655910000-0x00007FF655A15000-memory.dmp	family_svcstealer
behavioral3/memory/4588-248-0x00007FF76E270000-0x00007FF76E375000-memory.dmp	family_svcstealer
behavioral3/memory/4588-249-0x00007FF76E270000-0x00007FF76E375000-memory.dmp	family_svcstealer
behavioral3/memory/3168-257-0x00007FF7EAED0000-0x00007FF7EAFD5000-memory.dmp	family_svcstealer
behavioral3/memory/3168-256-0x00007FF7EAED0000-0x00007FF7EAFD5000-memory.dmp	family_svcstealer
behavioral3/memory/4052-265-0x00007FF654B50000-0x00007FF654C55000-memory.dmp	family_svcstealer
behavioral3/memory/4052-264-0x00007FF654B50000-0x00007FF654C55000-memory.dmp	family_svcstealer
behavioral3/memory/2288-272-0x00007FF6C1110000-0x00007FF6C1215000-memory.dmp	family_svcstealer
behavioral3/memory/2288-273-0x00007FF6C1110000-0x00007FF6C1215000-memory.dmp	family_svcstealer
behavioral3/memory/5044-280-0x00007FF776720000-0x00007FF776825000-memory.dmp	family_svcstealer
behavioral3/memory/5044-281-0x00007FF776720000-0x00007FF776825000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Downloads MZ/PE file 2 IoCs

flow	pid	Process
24	696	Gxtuum.exe
24	696	Gxtuum.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Flasher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fdnwxcx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Gxtuum.exe

Executes dropped EXE 32 IoCs

pid	Process
1624	ezezeww.exe
1908	vcpcjo.exe
216	fdnwxcx.exe
3480	vzycvcxx.exe
3600	cedbaefbacc.exe
2556	ezezeww.exe
1148	cedbaefbacc.exe
332	vzycvcxx.exe
3776	svchost.exe
696	Gxtuum.exe
4888	cedbaefbacc.exe
224	cedbaefbacc.exe
2688	cedbaefbacc.exe
1832	cedbaefbacc.exe
2464	cedbaefbacc.exe
4672	cedbaefbacc.exe
2852	cedbaefbacc.exe
3832	cedbaefbacc.exe
3384	uu.exe
1900	cedbaefbacc.exe
4556	cedbaefbacc.exe
4876	zz.exe
756	cedbaefbacc.exe
1504	cedbaefbacc.exe
4672	cedbaefbacc.exe
1604	cedbaefbacc.exe
2896	cedbaefbacc.exe
4588	cedbaefbacc.exe
3168	cedbaefbacc.exe
4052	cedbaefbacc.exe
2288	cedbaefbacc.exe
5044	cedbaefbacc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cedbaefbacc = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezezeww.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cedbaefbacc = "\"C:\\ProgramData\\cedbaefbacc.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Roaming\\vzycvcxx.exe"	vzycvcxx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\svchost.exe"	vzycvcxx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cedbaefbacc = "\"C:\\ProgramData\\cedbaefbacc.exe\""	ezezeww.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	fdnwxcx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzycvcxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdnwxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzycvcxx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	ezezeww.exe
1624	ezezeww.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
216	fdnwxcx.exe
3508	Explorer.EXE
3508	Explorer.EXE

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1624	1076	Flasher.exe	86
PID 1076 wrote to memory of 1624	1076	Flasher.exe	86
PID 1624 wrote to memory of 3508	1624	ezezeww.exe	56
PID 3508 wrote to memory of 5044	3508	Explorer.EXE	88
PID 3508 wrote to memory of 5044	3508	Explorer.EXE	88
PID 3508 wrote to memory of 1504	3508	Explorer.EXE	89
PID 3508 wrote to memory of 1504	3508	Explorer.EXE	89
PID 3508 wrote to memory of 4816	3508	Explorer.EXE	90
PID 3508 wrote to memory of 4816	3508	Explorer.EXE	90
PID 1076 wrote to memory of 1908	1076	Flasher.exe	87
PID 1076 wrote to memory of 1908	1076	Flasher.exe	87
PID 1076 wrote to memory of 216	1076	Flasher.exe	91
PID 1076 wrote to memory of 216	1076	Flasher.exe	91
PID 1076 wrote to memory of 216	1076	Flasher.exe	91
PID 1076 wrote to memory of 3480	1076	Flasher.exe	93
PID 1076 wrote to memory of 3480	1076	Flasher.exe	93
PID 1076 wrote to memory of 3480	1076	Flasher.exe	93
PID 3508 wrote to memory of 4792	3508	Explorer.EXE	96
PID 3508 wrote to memory of 4792	3508	Explorer.EXE	96
PID 3508 wrote to memory of 1244	3508	Explorer.EXE	98
PID 3508 wrote to memory of 1244	3508	Explorer.EXE	98
PID 4816 wrote to memory of 3600	4816	cmd.exe	100
PID 4816 wrote to memory of 3600	4816	cmd.exe	100
PID 1504 wrote to memory of 2556	1504	cmd.exe	101
PID 1504 wrote to memory of 2556	1504	cmd.exe	101
PID 5044 wrote to memory of 1148	5044	cmd.exe	102
PID 5044 wrote to memory of 1148	5044	cmd.exe	102
PID 4792 wrote to memory of 332	4792	cmd.exe	103
PID 4792 wrote to memory of 332	4792	cmd.exe	103
PID 4792 wrote to memory of 332	4792	cmd.exe	103
PID 1244 wrote to memory of 3776	1244	cmd.exe	104
PID 1244 wrote to memory of 3776	1244	cmd.exe	104
PID 1244 wrote to memory of 3776	1244	cmd.exe	104
PID 216 wrote to memory of 696	216	fdnwxcx.exe	105
PID 216 wrote to memory of 696	216	fdnwxcx.exe	105
PID 216 wrote to memory of 696	216	fdnwxcx.exe	105
PID 3508 wrote to memory of 2112	3508	Explorer.EXE	107
PID 3508 wrote to memory of 2112	3508	Explorer.EXE	107
PID 2112 wrote to memory of 4888	2112	cmd.exe	110
PID 2112 wrote to memory of 4888	2112	cmd.exe	110
PID 3508 wrote to memory of 384	3508	Explorer.EXE	112
PID 3508 wrote to memory of 384	3508	Explorer.EXE	112
PID 3508 wrote to memory of 4820	3508	Explorer.EXE	113
PID 3508 wrote to memory of 4820	3508	Explorer.EXE	113
PID 384 wrote to memory of 224	384	cmd.exe	119
PID 384 wrote to memory of 224	384	cmd.exe	119
PID 3508 wrote to memory of 4952	3508	Explorer.EXE	122
PID 3508 wrote to memory of 4952	3508	Explorer.EXE	122
PID 4952 wrote to memory of 1832	4952	cmd.exe	124
PID 4952 wrote to memory of 1832	4952	cmd.exe	124
PID 3508 wrote to memory of 4172	3508	Explorer.EXE	125
PID 3508 wrote to memory of 4172	3508	Explorer.EXE	125
PID 4172 wrote to memory of 2464	4172	cmd.exe	127
PID 4172 wrote to memory of 2464	4172	cmd.exe	127
PID 3508 wrote to memory of 3200	3508	Explorer.EXE	129
PID 3508 wrote to memory of 3200	3508	Explorer.EXE	129
PID 3200 wrote to memory of 4672	3200	cmd.exe	131
PID 3200 wrote to memory of 4672	3200	cmd.exe	131
PID 3508 wrote to memory of 4724	3508	Explorer.EXE	134
PID 3508 wrote to memory of 4724	3508	Explorer.EXE	134
PID 4724 wrote to memory of 2852	4724	cmd.exe	136
PID 4724 wrote to memory of 2852	4724	cmd.exe	136
PID 3508 wrote to memory of 4716	3508	Explorer.EXE	138
PID 3508 wrote to memory of 4716	3508	Explorer.EXE	138

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\Flasher.exe
  "C:\Users\Admin\AppData\Local\Temp\Flasher.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Roaming\ezezeww.exe
    "C:\Users\Admin\AppData\Roaming\ezezeww.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1624
- - C:\Users\Admin\AppData\Roaming\vcpcjo.exe
    "C:\Users\Admin\AppData\Roaming\vcpcjo.exe"
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Users\Admin\AppData\Roaming\fdnwxcx.exe
    "C:\Users\Admin\AppData\Roaming\fdnwxcx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:696
    - - C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe"
        5⤵
        Executes dropped EXE
        
        PID:4876
- - C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    "C:\Users\Admin\AppData\Roaming\vzycvcxx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ezezeww.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Roaming\ezezeww.exe
    C:\Users\Admin\AppData\Roaming\ezezeww.exe
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\ProgramData\svchost.exe
    C:\ProgramData\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:4820
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:4716
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:224
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:2532
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:1312
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:4500
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:4472
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:1792
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:2256
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:1120
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:2776
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:1900
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:5032
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\cedbaefbacc.exe"
  2⤵
  PID:1416
- - C:\ProgramData\cedbaefbacc.exe
    C:\ProgramData\cedbaefbacc.exe
    3⤵
    - Executes dropped EXE
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cedbaefbacc.cfg

Filesize
18B

MD5
5673b82007c14faa27815dd6d411e0fb

SHA1
0af56c0356b4c54b23551e202aae9b83d33f708f

SHA256
a99d81fda220d603dfbfbe8e7be1fe6d8a677efe8f8d8f48f49f6f9b9ba47c19

SHA512
5f2274fefbe830fdfba5d9505135ac64beb17fa34ba90b6e3860b832744df4a56d42434fd8437f59bac33f0145dc452771df601e2eb77c377a02643a2ef3aaad

Download Submit
C:\ProgramData\cedbaefbacc.exe

Filesize
1021KB

MD5
942e285920589ef847f851c6b6bf5f19

SHA1
2e71b51c07d0b5b9c4fbfef187565c77af8164d8

SHA256
32146febb4fdc0f80c8460696c5063d3dcbf1af3989f599b31cba52680cf2aff

SHA512
c4623e113eaa98dcf8a487ebff515f88251892c4d1ffd35959d77811c1e6a959015e3a73dcacae83fadcb1ba1eb86951b4e32fabef05584b18db2fc3705bc8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe

Filesize
177KB

MD5
4d38d0416a7392711f340e87f22ea4ba

SHA1
85d501d7fd5fc843e96be88caf6c1f1054aa2f28

SHA256
95b64cf5502b24d592c79f2611b76d5d8035c8061c4af6b1ff6800ec2b46442f

SHA512
3a86a6521fb856220875c9bac2c01ce82e7e67e515285273f7687596dc6c169949af8703d835654506c8205bcf6d372403c9ea925c0bf2969f11227d7cacb5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\218366390125

Filesize
83KB

MD5
e02411e009f9c0e7635249ec1a4a8ab5

SHA1
a2fe48b94fde2f0827baade21b34e8a197c15b8e

SHA256
8c6da42061ef2da26ea0ac2eb04445f5e58ada2966bf86aaeaf8576dfd008699

SHA512
69ba9d7b1692d8606797c5877299df2148d160c7c52ad91983f30441f42382f38c5e0486a91c67eaf2550b5f7f1653732866170651ee618f9fabb29b0d9bd5aa

Download Submit
C:\Users\Admin\AppData\Roaming\ezezeww.exe

Filesize
615KB

MD5
4a29417a8df35479c00de90163d48605

SHA1
0c77f0e769005320a2f1920086d8006262b07cea

SHA256
4709bfc0f1c220009ef45f182f8ae5a3f6844dac62646f1b2da3f43ebfd52db1

SHA512
161e2c5dc4f860841e12da7dfd8f9637d6e91da95122271b74a44fb82c605a4662275fabab3e346d5e984d527530571da32c1014bcacda78a0074d080bce0594

Download Submit
C:\Users\Admin\AppData\Roaming\fdnwxcx.exe

Filesize
429KB

MD5
8b12410737d2ea98450d892a8f838c3f

SHA1
1b60e0e7dc1a46d421db6c876274971f7d9f8944

SHA256
f700d0b50bb04e46842ba6448e91059d4c6499ab4a2500a82871edecb62ef026

SHA512
d3fcce4443b1d922fdd6d1541271cbbc938542424f6fc9b3cd8589f9d78c7654828e0deaa221fe4631a367c860716d2317a62251540f6358a3e3278fc76007dd

Download Submit
C:\Users\Admin\AppData\Roaming\vcpcjo.exe

Filesize
253KB

MD5
f06d851cdd529123efc8d1cab870da81

SHA1
a390c3754d3ac2141a2fd4cf5ebcbf465aa4cf58

SHA256
87e08f435857867edb66e89c3420402430fd334054a746fa81650b2f0a6a510c

SHA512
e947205a06f178428eabab077587640f1bacfef865fe33843bc2ed63d7f876965146424a16223f5c77a07103d28e0e94feeeaacfed62636a596862c981634e43

Download Submit
C:\Users\Admin\AppData\Roaming\vzycvcxx.exe

Filesize
176KB

MD5
3cca4d7501ae251c233d331d77f3060a

SHA1
04a2c3ae8bcec4cce30637d690fe2d0f43b09b44

SHA256
20cbb4516d585a430f0ef5a26e2f3ea9f9902b385e034414d0e1a4ae57b0d285

SHA512
4012da4b846082a025272530261dc0c579924fe51ae7ff18c13d11de9ff7e12ad51dc3f0b5c835d21ad64c4b45358037e121dfc8c513e3c52d91d141536b8b6c

Download Submit
memory/224-106-0x00007FF636B90000-0x00007FF636C95000-memory.dmp

Filesize
1.0MB

Download
memory/224-104-0x00007FF636B90000-0x00007FF636C95000-memory.dmp

Filesize
1.0MB

Download
memory/756-211-0x00007FF7876C0000-0x00007FF7877C5000-memory.dmp

Filesize
1.0MB

Download
memory/756-210-0x00007FF7876C0000-0x00007FF7877C5000-memory.dmp

Filesize
1.0MB

Download
memory/1148-66-0x00007FF75FE80000-0x00007FF75FF1F000-memory.dmp

Filesize
636KB

Download
memory/1504-218-0x00007FF6BA620000-0x00007FF6BA725000-memory.dmp

Filesize
1.0MB

Download
memory/1604-232-0x00007FF641D90000-0x00007FF641E95000-memory.dmp

Filesize
1.0MB

Download
memory/1604-233-0x00007FF641D90000-0x00007FF641E95000-memory.dmp

Filesize
1.0MB

Download
memory/1624-17-0x00007FF7A27F0000-0x00007FF7A288F000-memory.dmp

Filesize
636KB

Download
memory/1624-47-0x00007FF7A27F0000-0x00007FF7A288F000-memory.dmp

Filesize
636KB

Download
memory/1832-114-0x00007FF6C4EF0000-0x00007FF6C4FF5000-memory.dmp

Filesize
1.0MB

Download
memory/1832-115-0x00007FF6C4EF0000-0x00007FF6C4FF5000-memory.dmp

Filesize
1.0MB

Download
memory/1900-180-0x00007FF7866C0000-0x00007FF7867C5000-memory.dmp

Filesize
1.0MB

Download
memory/1900-181-0x00007FF7866C0000-0x00007FF7867C5000-memory.dmp

Filesize
1.0MB

Download
memory/2288-272-0x00007FF6C1110000-0x00007FF6C1215000-memory.dmp

Filesize
1.0MB

Download
memory/2288-273-0x00007FF6C1110000-0x00007FF6C1215000-memory.dmp

Filesize
1.0MB

Download
memory/2464-123-0x00007FF61D050000-0x00007FF61D155000-memory.dmp

Filesize
1.0MB

Download
memory/2464-122-0x00007FF61D050000-0x00007FF61D155000-memory.dmp

Filesize
1.0MB

Download
memory/2556-63-0x00007FF7A27F0000-0x00007FF7A288F000-memory.dmp

Filesize
636KB

Download
memory/2852-143-0x00007FF664510000-0x00007FF664615000-memory.dmp

Filesize
1.0MB

Download
memory/2852-142-0x00007FF664510000-0x00007FF664615000-memory.dmp

Filesize
1.0MB

Download
memory/2896-241-0x00007FF655910000-0x00007FF655A15000-memory.dmp

Filesize
1.0MB

Download
memory/2896-240-0x00007FF655910000-0x00007FF655A15000-memory.dmp

Filesize
1.0MB

Download
memory/3168-257-0x00007FF7EAED0000-0x00007FF7EAFD5000-memory.dmp

Filesize
1.0MB

Download
memory/3168-256-0x00007FF7EAED0000-0x00007FF7EAFD5000-memory.dmp

Filesize
1.0MB

Download
memory/3508-22-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-52-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/3508-91-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-15-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-101-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-85-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3508-30-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-23-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3508-56-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/3508-18-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-25-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-21-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/3508-24-0x0000000003090000-0x0000000003135000-memory.dmp

Filesize
660KB

Download
memory/3508-29-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/3600-58-0x00007FF75FE80000-0x00007FF75FF1F000-memory.dmp

Filesize
636KB

Download
memory/3832-156-0x00007FF784B50000-0x00007FF784C55000-memory.dmp

Filesize
1.0MB

Download
memory/3832-155-0x00007FF784B50000-0x00007FF784C55000-memory.dmp

Filesize
1.0MB

Download
memory/4052-264-0x00007FF654B50000-0x00007FF654C55000-memory.dmp

Filesize
1.0MB

Download
memory/4052-265-0x00007FF654B50000-0x00007FF654C55000-memory.dmp

Filesize
1.0MB

Download
memory/4556-188-0x00007FF699E80000-0x00007FF699F85000-memory.dmp

Filesize
1.0MB

Download
memory/4556-189-0x00007FF699E80000-0x00007FF699F85000-memory.dmp

Filesize
1.0MB

Download
memory/4588-248-0x00007FF76E270000-0x00007FF76E375000-memory.dmp

Filesize
1.0MB

Download
memory/4588-249-0x00007FF76E270000-0x00007FF76E375000-memory.dmp

Filesize
1.0MB

Download
memory/4672-134-0x00007FF765520000-0x00007FF765625000-memory.dmp

Filesize
1.0MB

Download
memory/4672-225-0x00007FF74FB70000-0x00007FF74FC75000-memory.dmp

Filesize
1.0MB

Download
memory/4672-135-0x00007FF765520000-0x00007FF765625000-memory.dmp

Filesize
1.0MB

Download
memory/4888-88-0x00007FF7A3090000-0x00007FF7A312F000-memory.dmp

Filesize
636KB

Download
memory/4888-87-0x00007FF7A3090000-0x00007FF7A312F000-memory.dmp

Filesize
636KB

Download
memory/5044-280-0x00007FF776720000-0x00007FF776825000-memory.dmp

Filesize
1.0MB

Download
memory/5044-281-0x00007FF776720000-0x00007FF776825000-memory.dmp

Filesize
1.0MB

Download